Tools don't always cut it, particularly if companies don't have dedicated teams to deal with the storm of alerts they send out.
BOSTON—The worst enemy of security on endpoints—including desktop and notebook computers and mobile devices both on and off the network—is the user.
That was the conclusion of a March 26 panel on the subject that was moderated by Dave Martin, Director of Information Security at EMC's Global Security Organization, here at the Boston SecureWorld Expo.
The challenge today, according to Martin, is the thirst for ubiquitous access. "The end user wants access from everything to everything," he said, not just in the office, but when they're mobile and outside the network perimeter.
Panelists agreed. "I now have a lot more 'leakage' points that can be attacked," said Tom Bowers, senior security evangelist at Kaspersky Labs. Cell phones are a prime example, Bowers said. "A cell phone used to only have a little bit of information on it, but it may now have marketing plans and other intellectual property.
As if it's not bad enough today, the potential attack surface of mobile devices is only going to expand, Bowers noted, given that Google has announced that the first Android mobile phone applications will arrive in early fall. "In a year, mobile devices will be far more potent risk factors," he said.
IT also needs to be concerned about secure data as well as endpoints, said panelist Jody Saarmaa, senior director of product marketing at Liquid Machines.
"IT needs to think about [how] data may flow between applications, like copying it from e-mail to a USB device, or a user sending sensitive data to a Gmail account because it's convenient."
When it comes to making users aware of risky behavior, it won't get you far if you're talking about cramping their productivity, said EMC's Martin. "Unless you have an almost inoperable lockdown on a tool, if a user sees a shortcut that's easier to get work done with then how effective can end-user awareness be? They can still do things they know are against policy, because they know it saves time."
Because of this, said panelist Ken Steinberg, president and chief technology officer of Savant Protection, the industry needs flaw-tolerant systems that can hold up under risky behavior of end users.
"We can't get to 'everybody knows what they're doing.' We need systems where other people don't pay the price for some users' errors," he said.
The road to real risk mitigation means striking a balance between training and technology, according to Saarmaa, such that working in a secure way is actually easier for users than the alternative. For example, rights management should be deployed automatically to protect things such as e-mail, he said.
"You have to make doing the right thing easier than doing the wrong thing," Saarmaa said. "People want to do their job in the fastest way possible."
Resource-challenged companies in particular face an uphill battle, noted Martin, in that managing the output of DRM (digital rights management) tools and stopping data leakage is resource-intensive. For companies that can't afford to devote a dedicated team to plugging holes, alerts can get out of hand unless tools can deal with alerts automatically.
"Unless you can triage and deal with alerts locally, you need software agents that can look after most of the alerts automatically, and only report critical events, which a small team can handle," Martin said.
"It's still the toughest thing," agreed audience member Richard Shay, CIO at Shay Consulting, of Norwood, Mass. "If you ignore the end users, you're 80 percent open still."
